Sending security alerts to other IT Admins and networks.
In this section I'm going to talk about one of my security alert scripts and what I do when I discover a server not conducting the business role it was designed for.
I'm going to assume you know the 5 levels of hacks and jump right into this sections content and start talking about the real issues.
How do you alert another iT Admin that their server has been hacked or the server is being abused?
"I've been reading logs for some many years I have nearly given up on reporting any issue. It just doesn't pay to spend the time." unknown to you author.
It's true and seriously a time consuming process reading log reports. I start each day at 6:30am (if I haven't been coding all night). With the first cup of coffee I log onto the log server and pull up the stats. Anything in the last 24 hours unusual? Yes, port 3389 has gone nuts. Big deal I don't run remote desktop so it's not a problem.
Reading more into the reports I start seeing who's systems attempted connections on nonstandard ports. Now the reading becomes time consuming, whois, lookups etc. Lucky I have a workbook that gives me all the US connections then a quick batch script to see what's online at the time of my reading.
You see, I only look for servers that are not doing the role they were designed for. Anything else would be a waste of time and reporting would be nearly impossible. So I stick with servers which means out of 100 quick checks 10 might be servers. (Script it to look for services running and you'll cut your time down.)
Ports, 21, 80, 443, 25 should do the trick when you are looking at a box that attempted a 3389 connection to your workstation.
The Role FTP, WWW, SSL, SMTP servers play typically doesn't include trying to connect to one of Murray's computers or servers. This means something is wrong, seriously wrong. Was the IT Admin attempting a connection? I don't think so, unless they were bored or wanted to have me look them up.
Now, with what I said so far I'd like to introduce you to my method of reporting and what I ignore vs what I act on.
I have set levels of priority which are as follows:
- Health and Medical Industry
- Small Business
The industry groups outside of my scope are logged but I don't contact them due to the lack of response. The top 3 often never reply but I do setup to follow up and flag the IP address for 7 days strict monitoring.
Monitoring is Passive not aggressive. I only monitor connections made to networks I administer. I do not use remote scanning applications for one simple reason, I don't need to follow up with a port scan I have the logs of what your server was attempting to do on my network which is all I need to identify a zombie system or a botnet.
What are you doing to help your IT community?
Wednesday Apr 25 2012
One of the biggest challenges I have found over all these years is getting the server admin or network admin to actually respond to a notice that they may have a serious problem. It could be that they don't want to know or they just don't want to admit that something was wrong which might lead to some bad PR.